b'                                                                E-IN-MMS-0047-2001\n\n           United States Department of the Interior\n\n                            Office of Inspector General\n                                 Washington, D.C. 20240\n\n\n\n                                                                        March 15, 2002\n\n\nMemorandum\n\nTo:      Director, Minerals Management Service\n\nFrom:    Roger La Rouche\n         Assistant Inspector General for Audits\n\nSubject: Independent Auditors\xe2\x80\x99 Report on the Minerals Management Service\xe2\x80\x99s Financial\n         Statements for Fiscal Years 2001 and 2000 (No. 2002-I-0023)\n\n        We contracted with KPMG LLP, an independent certified public accounting firm,\nto audit the Minerals Management Service\xe2\x80\x99s (MMS) financial statements for fiscal year\n2001. The contract required that KPMG conduct its audit in accordance with the\nGovernment Auditing Standards issued by the Comptroller General of the United States\nof America; Office of Management and Budget Bulletin No. 1-02, Audit Requirements\nfor Federal Financial Statements; and the General Accounting Office/President\xe2\x80\x99s\nCouncil on Integrity and Efficiency Financial Audit Manual. The Office of Inspector\nGeneral (OIG) is responsible for the opinion on the statement of custodial activity and\nrelated notes for fiscal year 2000.\n\n        In connection with the contract, we monitored the progress of the audit at key\npoints and reviewed KPMG\xe2\x80\x99s report and related working papers and inquired of their\nrepresentatives. Our review, as differentiated from an audit in accordance with\nGovernment Auditing Standards, was not intended to enable us to express, and we do not\nexpress, opinions on the MMS\xe2\x80\x99s financial statements or on conclusions about the\neffectiveness of internal controls or on conclusions about compliance with laws and\nregulations. KPMG is responsible for the auditors\xe2\x80\x99 report on the fiscal year 2001\nfinancial statements (Attachment 1) and for the conclusions expressed in the report.\n\n       In its audit report, KPMG issued an unqualified opinion on the MMS\xe2\x80\x99s balance\nsheet and statement of custodial activity for fiscal year 2001. KPMG did not express an\nopinion on the accompanying statements of net cost, changes in net position, budgetary\nresources, and financing for the year ended September 30, 2001. The OIG in its report\n(Attachment 2) issued an unqualified opinion on the MMS\xe2\x80\x99s fiscal year 2000 statement of\ncustodial activity. The OIG did not express an opinion on the balance sheet as of\nSeptember 30, 2000, and statement of net cost of operations for the year then ended.\n\x0c        KPMG found one reportable material weakness in internal controls and one\nreportable condition related to internal controls and financial reporting. With regard to\ncompliance with laws and regulations, KPMG found MMS to be noncompliant with a\nportion of the Federal Financial Management Improvement Act. Specifically, MMS\xe2\x80\x99s\nfinancial management systems did not substantially comply with the United States\nGovernment Standard General Ledger at the transaction level and did not meet Federal\nfinancial management systems requirements. In addition, KPMG found that MMS was\nnot in full compliance with the Prompt Pay Act.\n\n       MMS in its February 7, 2002 response (Attachment 3) concurred with the\nrecommendations and indicated corrective action would be taken. Based on MMS\xe2\x80\x99s\nresponse we consider the recommendations resolved but not implemented. The\nrecommendations will be referred to the Assistant Secretary for Policy, Management and\nBudget for resolution and tracking of implementation.\n\n         Section 5(a) of the Inspector General Act (5 U.S.C. App. 3) requires the OIG to\nlist this report in its semiannual report to the Congress.\n\n        The Independent Auditors\xe2\x80\x99 Report is intended for the information of the\nmanagement of MMS, the Office of Management and Budget, and the United States\nCongress. The report, however, is a matter of public record and its distribution is not\nlimited.\n\n\nAttachments (2)\n\n\n[CONTACT THE MINERALS MANAGEMENT SERVICE FOR INFORMATION\nON ITS FINANCIAL STATEMENTS FOR FISCAL YEAR 2001, WHICH ARE NOT\nINCLUDED.]\n\x0c                               Attachment 1\n\n\n\n\n       A COPY OF THE\n\nINDEPENDENT AUDITOR\xe2\x80\x99S REPORT\n\nIS ON THE PAGES THAT FOLLOW.\n\x0c            2001 M Street, NW\n            Washington, DC 20036\n\n\n\n                                        Independent Auditors\xe2\x80\x99 Report\n\n\nOffice of Inspector General and\nDirector of Minerals Management Service\nDepartment of the Interior:\n\nWe have audited the accompanying consolidated balance sheet of the Minerals Management Service (MMS) as\nof September 30, 2001 and the related statement of custodial activity for the year then ended. The objective of\nour audit was to express an opinion on the fair presentation of the consolidated balance sheet and statement of\ncustodial activity. In connection with our audit, we also considered MMS\xe2\x80\x99s internal control over financial\nreporting and tested MMS\xe2\x80\x99s compliance with certain provisions of applicable laws and regulations that could\nhave a direct and material effect on the consolidated balance sheet and statement of custodial activity.\n\nSUMMARY\n\nAs stated in our opinion, we concluded that the MMS\xe2\x80\x99s consolidated balance sheet and statement of custodial\nactivity as of and for the year ended September 30, 2001 are presented fairly, in all material respects, in\nconformity with accounting principles generally accepted in the United States of America. We did not audit the\naccompanying statements of net costs, changes in net position, budgetary resources, and financing for the year\nended September 30, 2001, and, accordingly, we do not express an opinion on them.\n\nOur consideration of internal control over financial reporting resulted in certain Information Technology (IT)\ndata security control weaknesses and year-end accrual weaknesses being identified as a reportable condition. We\nconsider the IT data security control reportable condition to be a material weakness.\n\nThe results of our tests of compliance with laws and regulations disclosed instances of noncompliance with the\nfollowing laws and regulations that are required to be reported under Government Auditing Standards and Office\nof Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial Statements:\n\n\xe2\x80\xa2   Prompt Payment Act\n\xe2\x80\xa2   Federal Financial Management Improvement Act (FFMIA)\nThe following sections discuss our opinion on MMS\xe2\x80\x99s consolidated balance sheet and statement of custodial\nactivity as of and for the year ended September 30, 2001, our consideration of MMS\xe2\x80\x99s internal control over\nfinancial reporting, our tests of MMS\xe2\x80\x99s compliance with certain provisions of applicable laws and regulations,\nand management\xe2\x80\x99s and our responsibilities.\n\nOPINION ON THE CONSOLIDATED BALANCE SHEET AND STATEMENT OF CUSTODIAL\nACTIVITY\n\nWe have audited the accompanying consolidated balance sheet of the Minerals Management Service as of\nSeptember 30, 2001 and the related statement of custodial activity for the year then ended. The accompanying\nstatements of net costs, changes in net position, budgetary resources, and financing for the year ended September\n30, 2001, were not audited by us and, accordingly, we do not express an opinion on them.\n\x0cIn our opinion, the consolidated balance sheet and statement of custodial activity referred to above, present fairly,\nin all material respects, the financial position of the Minerals Management Service as of September 30, 2001 and\nits custodial activity for the year then ended, in conformity with accounting principles generally accepted in the\nUnited States of America.\n\nAs discussed in Note 10 to the financial statements, MMS changed its accounting and financial reporting for\nFederal royalty distributions to states.\n\nThe information in the Management Discussion and Analysis section is not a required part of the financial\nstatements, but is supplementary information required by the Federal Accounting Standards Advisory Board or\nOMB Bulletin No. 01-09, Form and Content of Agency Financial Statements. We have applied certain limited\nprocedures which consisted principally of inquiries of management regarding the methods of measurement and\npresentation of this information. However, we did not audit this information and, accordingly, we express no\nopinion on it.\n\nOur audit was conducted for the purpose of forming an opinion on the consolidated balance sheet and statement\nof custodial activity taken as a whole. The consolidating information on pages 58 to 62 is presented for purposes\nof additional analysis of the consolidated financial statements rather than to present the financial position, net\ncosts, changes in net position, and budgetary resources of MMS\xe2\x80\x99s components individually. The consolidating\nbalance sheet has been subjected to the auditing procedures applied in the audit of the consolidated balance sheet\nand, in our opinion, is fairly stated in all material respects in relation to the consolidated balance sheet taken as a\nwhole. However, we did not audit the consolidated statements of net costs, changes in net position, and\nbudgetary resources, and, accordingly, we do not express an opinion on the related consolidating statements of\nnet costs, changes in net position, and budgetary resources.\n\nINTERNAL CONTROL OVER FINANCIAL REPORTING\n\nOur consideration of internal control over financial reporting would not necessarily disclose all matters in the\ninternal control over financial reporting that might be reportable conditions. Under standards issued by the\nAmerican Institute of Certified Public Accountants, reportable conditions are matters coming to our attention\nrelating to significant deficiencies in the design or operation of the internal control over financial reporting that,\nin our judgment, could adversely affect MMS\xe2\x80\x99s ability to record, process, summarize, and report financial data\nconsistent with the assertions by management in the financial statements.\n\nMaterial weaknesses are reportable conditions in which the design or operation of one or more of the internal\ncontrol components does not reduce to a relatively low level the risk that misstatements, in amounts that would\nbe material in relation to the financial statements being audited, may occur and not be detected within a timely\nperiod by employees in the normal course of performing their assigned functions. Because of inherent\nlimitations in internal control, misstatements, due to error or fraud may nevertheless occur and not be detected.\n\nWe noted certain matters, described below, involving internal control over financial reporting and its operation\nthat we consider to be reportable conditions. We believe that reportable condition no. 2001-01 is a material\nweakness.\n\n      No. 2001-01- Information Technology Data Security Control Weaknesses\n\n      Condition\n\n      MMS did not have adequate information security policies and procedures to meet the requirements of\n      OMB Circular A-130, Security of Federal Automated Information Resources. OMB Circular A-130\n      provides requirements to ensure adequate security for information relating to general support systems and\n      major application systems. The MMS also did not have effective policies and procedures to control and\n      protect information systems. Specifically, we noted weaknesses in the following areas:\n\n\n                                                          2\n\x0cEntity-wide Security Program: The MMS security plan did not contain all of the information required\nby OMB Circular A-130, Appendix III. Specifically, MMS did not:\n\n\xe2\x80\xa2   Perform an adequate risk assessment of the Advanced Budget/Accounting Control and Information\n    System (ABACIS)\n\xe2\x80\xa2   Obtain approval for the ABACIS security plan\n\xe2\x80\xa2   Document, implement, and update appropriate security policies\n\xe2\x80\xa2   Establish and document a bureau-wide policy for security-related personnel actions\n\xe2\x80\xa2   Develop an entity-wide security awareness training program\nAccess Controls: MMS did not have adequate controls to limit or detect access to information systems to\nprotect against unauthorized modification, loss, and disclosure of data. We noted that MMS had\nweaknesses in:\n\n\xe2\x80\xa2   Review and timely deactivation of physical access\n\xe2\x80\xa2   Timely removal of terminated and temporary access to information systems\n\xe2\x80\xa2   Application security software\n\xe2\x80\xa2   Granting and deleting dial-up access privileges\n\xe2\x80\xa2   Password administration\n\xe2\x80\xa2   Network security\nSystem Software Controls: MMS did not establish controls to monitor operating system activities and\noperating system security parameters have not been set for effective logging of user activity.\n\nService Continuity: MMS had not conducted recent tests of its contingency plans to minimize the risk of\nunplanned interruptions and to minimize the risk of recovery of critical operations to protect data should\ninterruptions occur.\n\nRecommendation\n\nMMS should improve controls over information technology systems to ensure adequate security and\nprotection of information resources. MMS should test contingency plans annually and analyze the results\nonce testing has been conducted.\n\nManagement Response\n\nEntity-wide Security Program: The MMS concurs with the finding and recommendation. We will\nrevise the security plan to fully comply with OMB Circular A-130, Appendix III, by June 30, 2002.\nAdditionally, we will contract to have an independent risk assessment of ABACIS completed by June 30,\n2002.\n\nAccess Controls and System Software Controls: The MMS concurs with the finding and\nrecommendation. We have developed a project schedule to address each of the noted deficiencies to\npermit full compliance by June 30, 2002. Additionally, we installed on the Hewlett Packard mini-\ncomputer on December 17, 2001, a finer grain access control software package that limits failed login\nattempts.\n\nService Continuity: The MMS concurs with the finding and recommendation. We have developed\nmilestones to test and analyze all applicable contingency plans (HP COOP/Mutual Aid Agreement, LAN\nCOOP, and Atrim Building COOP) by August 30, 2002.\n\n                                                 3\n\x0c      No. 2001-02- Year-end Accounts Payable and Accounts Receivable Accrual Process\n\n      Condition\n\n      At the conclusion of the fiscal 2000 audit, the OIG issued a reportable condition related to certain\n      deficiencies in MMS\xe2\x80\x99s processes for making year-end accruals for both accounts payable and unbilled\n      accounts receivable. During the fiscal 2001 audit, we noted that management established and implemented\n      new policies and procedures to facilitate the preparation of year-end accruals for accounts payable and\n      accounts receivable. However, we also identified numerous over and under accruals of accounts payable\n      and unbilled accounts receivable as a result of analysts not appropriately implementing MMS\xe2\x80\x99s new\n      policies and procedures.\n\n      Recommendation\n\n      We recommend that MMS provide additional training to analysts responsible for preparing year-end\n      accruals and strengthen supervisory review controls.\n\n      Management Response\n\n      The MMS acknowledges that additional effort is required to ensure that sufficient accruals are recorded for\n      accounts payable and accounts receivable at year-end. We will host an audit lessons learned training\n      session to address the deficiencies and will also institute an internal control review process to ensure that\n      program offices are following the established guidelines. The lessons learned session is scheduled for mid-\n      spring 2002.\n\nA summary of the status of prior year reportable conditions can be found at Exhibit 1. We also noted other\nmatters involving internal control over financial reporting and its operation that we have reported to the\nmanagement of MMS in a separate letter dated January 9, 2002.\n\nCOMPLIANCE WITH LAWS AND REGULATIONS\n\nThe results of our tests of compliance with the laws and regulations described in the Responsibilities section of\nthis report disclosed instances of noncompliance with the following laws and regulations that are required to be\nreported under Government Auditing Standards and OMB Bulletin No. 01-02:\n\nPrompt Payment Act\n\nWe identified six invoices totaling approximately $2.6 million in our test sample of 198 payments to vendors\nwhich were paid after the allowable time period under the Prompt Payment Act and the payments did not include\ninterest as required by the Act.\n\nManagement Response\n\nThe MMS concurs with the finding and recommendation. We will implement additional internal control\nprocedures and provide additional training to the Procurement staffs to ensure that invoices are received timely in\naccordance with the Prompt Payment Act. Training and procedures will be developed by June 30, 2002.\n\nFFMIA\n\nThe results of our tests of FFMIA disclosed instances, described below, where MMS\xe2\x80\x99s financial management\nsystems did not substantially comply with the Federal financial management systems requirements and the U.S.\nStandard General Ledger at the transaction level.\n\n\n\n\n                                                        4\n\x0c\xe2\x80\xa2   Federal Financial Management Systems Requirements\n    As previously discussed in the Internal Control Over Financial Reporting section of this report, MMS did not\n    have adequate information security policies and procedures to meet the Federal financial management system\n    requirements of FFMIA.\n\n    Management Response\n    The MMS concurs with the finding and recommendation. System-specific policies will be developed and\n    implemented to improve the authentication process and to minimize network security risks. These policies\n    will be published by June 30, 2002.\n\xe2\x80\xa2   U.S. Standard General Ledger at the Transaction Level\n    MMS accounts for its Minerals Revenue Management (MRM) activities using the Auditing and Financial\n    System (AFS). The AFS system does not account for transactions using the U.S. Standard General Ledger at\n    the transaction level. Consequently, it is not FFMIA compliant.\n\n    Management Response\n    The MMS concurs with the finding and recommendation. The new MRM system will account for\n    transactions using the U.S. Standard General Ledger. This new system was brought on-line November 1,\n    2001. On December 6, 2001, the U.S. District Court issued an order that required the Department of the\n    Interior to disconnect from the Internet all systems that may have Indian Trust related data. This order\n    effectively shut-down the new MRM system for processing and producing reports. As an interim measure,\n    MRM has processed payments to state governments for December 2001 and January 2002 based on a\n    percentage of the three month average of the three preceding months; and has forwarded to the Office of\n    Trust Funds Management, using SF-1081s, those amounts applicable to Tribal Trust and Individual Indian\n    Monies accounts based on collection receipt and advice from the payors.\nThe results of our tests disclosed no instances in which MMS\xe2\x80\x99s financial management systems did not\nsubstantially comply with the Federal accounting standards.\n\nRESPONSIBILITIES\n\nManagement\xe2\x80\x99s Responsibility\n\nThe Government Management Reform Act (GMRA) of 1994 requires federal agency\xe2\x80\x99s to report annually to\nCongress on its financial status and any other information needed to fairly present its financial position and\nresults of operations. To meet the GMRA reporting requirements, MMS prepares annual financial statements.\n\nManagement is responsible for:\n\n      \xe2\x80\xa2   Preparing the financial statements in conformity with accounting principles generally accepted in the\n          United States of America;\n      \xe2\x80\xa2   Establishing and maintaining internal controls over financial reporting and performance measures; and\n      \xe2\x80\xa2   Complying with laws and regulations, including FFMIA.\nIn fulfilling this responsibility, estimates and judgments by management are required to assess the expected\nbenefits and related costs of internal control policies.\n\n\n\n\n                                                       5\n\x0cAuditors\xe2\x80\x99 Responsibility\n\nOur responsibility is to express an opinion on MMS\xe2\x80\x99s consolidated balance sheet as of September 30, 2001, and\nthe statement of custodial activity for the year then ended, based on our audit. We conducted our audit in\naccordance with auditing standards generally accepted in the United States of America, the standards applicable\nto financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United\nStates, and OMB Bulletin No. 01-02. Those standards and OMB Bulletin No. 01-02 require that we plan and\nperform the audit to obtain reasonable assurance about whether the consolidated balance sheet and statement of\ncustodial activity are free of material misstatement.\n\nAn audit includes:\n\n      \xe2\x80\xa2   Examining, on a test basis, evidence supporting the amounts and disclosures relating to the\n          consolidated balance sheet and statement of custodial activity;\n      \xe2\x80\xa2   Assessing the accounting principles used and significant estimates made by management; and\n      \xe2\x80\xa2   Evaluating the overall consolidated balance sheet and statement of custodial activity presentation.\nWe believe that our audit provides a reasonable basis for our opinion.\n\nIn planning and performing our audit, we considered MMS\xe2\x80\x99s internal control over financial reporting by\nobtaining an understanding of MMS\xe2\x80\x99s internal control, determining whether internal controls had been placed in\noperation, assessing control risk, and performing tests of controls in order to determine our auditing procedures\nfor the purpose of expressing our opinion on the consolidated balance sheet and statement of custodial activity.\nWe limited our internal control testing to those controls necessary to achieve the objectives described in OMB\nBulletin No. 01-02 and Government Auditing Standards. We did not test all internal controls relevant to\noperating objectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982. The objective\nof our audit was not to provide assurance on internal controls over financial reporting. Consequently, we do not\nprovide an opinion on internal control over financial reporting.\n\nAs required by OMB Bulletin No. 01-02, with respect to internal control related to performance measures\ndetermined by management to be key and reported in the Management Discussion and Analysis, we obtained an\nunderstanding of the design of significant internal controls relating to the existence and completeness assertions.\nOur procedures were not designed to provide assurance on internal control over performance measures and,\naccordingly, we do not provide an opinion on such controls.\n\nAs part of obtaining reasonable assurance about whether MMS\xe2\x80\x99s fiscal year 2001 consolidated balance sheet and\nstatement of custodial activity are free of material misstatement, we performed tests of MMS\xe2\x80\x99s compliance with\ncertain provisions of laws and regulations, noncompliance with which could have a direct and material effect on\nthe determination of consolidated balance sheet and statement of custodial activity amounts, and certain\nprovisions of other laws and regulations specified in OMB Bulletin No. 01-02, including certain provisions\nreferred to in FFMIA. We limited our tests of compliance to the provisions described in the preceding sentence,\nand we did not test compliance with all laws and regulations applicable to MMS. Providing an opinion on\ncompliance with laws and regulations was not an objective of our audit, and, accordingly, we do not express such\nan opinion.\n\nUnder FFMIA, we are required to report whether MMS\xe2\x80\x99s financial management systems substantially comply\nwith (1) Federal financial management systems requirements, (2) applicable Federal accounting standards, and\n(3) the United States Government Standard General Ledger at the transaction level. To meet this requirement,\nwe performed tests of compliance with FFMIA section 803(a) requirements.\n\n\n\n\n                                                        6\n\x0cDISTRIBUTION\n\nThis report is intended for the information and use of MMS\xe2\x80\x99s management, the Department of the Interior\xe2\x80\x99s\nOffice of the Inspector General, OMB, and the U.S. Congress and is not intended to be, and should not be, used\nby anyone other than these specified parties.\n\n\n\n\nJanuary 9, 2002\n\n\n\n\n                                                      7\n\x0c                                                                               Attachment 2\n\n            United States Department of the Interior\n\n                              Office of Inspector General\n                                   Washington, D.C. 20240\n\n\n\n\n                          Independent Auditors\xe2\x80\x99 Report\n\nTo:        Director, Minerals Management Service\n\nSubject:   Minerals Management Service\xe2\x80\x99s Financial Statements for Fiscal Year 2000\n\n        We have audited the Minerals Management Service\xe2\x80\x99s (MMS) statement of\ncustodial activity and related notes. The objective of our audit was to express an opinion\non the fair presentation of the statement of custodial activity. This financial statement is\nthe responsibility of the MMS, and our responsibility is to express an opinion, based on\nour audit, on this financial statement.\n\n        We conducted our audit in accordance with the auditing standards generally\naccepted in the United States of America; the standards for financial audits contained in\nGovernment Auditing Standards, issued by the Comptroller General of the United States;\nand with Office of Management and Budget (OMB) Bulletin No. 01-02, Audit\nRequirements for Federal Financial Statements. These standards and OMB Bulletin No.\n01-02 require that we plan and perform our audit to obtain reasonable assurance as to\nwhether the accompanying statement of custodial activity is free of material\nmisstatement. An audit includes examining, on a test basis, evidence supporting the\namounts and disclosures contained in the statement of custodial activity and the\naccompanying notes. An audit also includes assessing the accounting principles used and\nthe significant estimates made by management, as well as evaluating the overall\npresentation of the statement of custodial activity. We believe that our audit of the\nstatement of custodial activity provides a reasonable basis for our opinion.\n\n        In our opinion, the statement of custodial activity referred to above presents fairly,\nin all material respects, the custodial activity of MMS for the year ended September 30,\n2000, in conformity with accounting principles generally accepted in the United States of\nAmerica.\n\n        As discussed in notes 1.2C and D to the financial statements, MMS restated its\nstatement of custodial activity for accruals and for a change in accounting related to\nundistributed custodial fund balances. In addition, as discussed in note 10 to the financial\nstatements, MMS changed its accounting and financial reporting for royalty distributions\nto the states.\n\x0c        In our report dated September 4, 2001, we did not express an opinion on MMS\xe2\x80\x99s\nconsolidated balance sheet as of September 30, 2000, consolidated statement of net cost,\nconsolidated statement of changes in net position, statement of budgetary resources and\nstatement of financing for the year ended September 30, 2000 because MMS did not\npresent its financial statements and related disclosures for audit in a timely manner.\nAccordingly, we are not expressing an opinion on the restated consolidated balance sheet\nas of September 30, 2000, and the restated consolidated statement of net cost for the year\nended September 30, 2000.\n\n\n\n\nRoger La Rouche\nAssistant Inspector General for Audits\nSeptember 4, 2001 except for Notes 1.2, 10, and 13 to 16\nas to which the date is January 9, 2002\n\x0c'